[JIRA] (JENKINS-61925) Upcoming Chrome SameSite policy change will break HTML Publisher plugin

[davidepesa@gmail.com (JIRA)]

Davide Pesavento created an issue

Jenkins / JENKINS-61925 Upcoming Chrome SameSite policy change will break HTML Publisher plugin Issue Type: Bug Assignee: Richard Bywater Components: htmlpublisher-plugin Created: 2020-04-16 03:53 Environment: Jenkins 2.228 htmlpublisher v1.22 Priority: Major Reporter: Davide Pesavento Google Chrome is about to change behavior for cookies without a SameSite attribute, see https://web.dev/samesite-cookies-explained/ and https://www.chromium.org/updates/same-site. The rollout, originally planned for February/March, has now been postponed until the summer. Other browsers will eventually ship the same changes. We're using the HTML Publisher plugin to publish LCOV-generated code coverage reports. The new SameSite behavior described above, together with the default Content-Security-Policy header, seems to break this use case. Specifically, the cookies set by Jenkins don't include a SameSite attribute and therefore are no longer being sent by the browser when the HTML report page tries to load additional resources (CSS and images), because they are considered cross-site requests. And without the session cookie, these requests are rejected by Jenkins with an HTTP 403 error. Removing "sandbox" from the default hudson.model.DirectoryBrowserSupport.CSP setting works around the issue, but seems less than ideal. Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[richard@bywater.nz (JIRA)]

Richard Bywater commented on JENKINS-61925

Re: Upcoming Chrome SameSite policy change will break HTML Publisher plugin Thanks for the report and apologies for the delay in responding. With all that's going on in the world it's taking a while to get to things I'll take a look at this as soon to see the impact and what fixes are possible. In the meantime do you happen to know what month "summer" is in the context of the announcement? I assume it means US summer so if happen to be able to clarify when that is for non-US resident that'd be great

Add Comment

[davidepesa@gmail.com (JIRA)]

Davide Pesavento commented on JENKINS-61925

Re: Upcoming Chrome SameSite policy change will break HTML Publisher plugin

That's all the announcement says: "we’re now aiming for over the summer". I don't have any more specific info. And yes, I think we can assume it means northern hemisphere summer. Also note that "Non-stable Chrome channels (e.g. Dev, Canary, and Beta) will continue with 50% enablement in Chrome 80 and later". I'm able to reproduce the problem with Chrome 83 beta (I guess I'm one of the "lucky" 50%).

Add Comment

[davidepesa@gmail.com (JIRA)]

Davide Pesavento edited a comment on JENKINS-61925

Re: Upcoming Chrome SameSite policy change will break HTML Publisher plugin

That's all the announcement says: "we’re now aiming for over the summer". I don't have any more specific info. And yes, I think we can assume it means northern hemisphere summer , so June to September .

Also note that "Non-stable Chrome channels (e.g. Dev, Canary, and Beta) will continue with 50% enablement in Chrome 80 and later". I'm able to reproduce the problem with Chrome 83 beta (I guess I'm one of the "lucky" 50%).

Add Comment

[richard@bywater.nz (JIRA)]

Richard Bywater commented on JENKINS-61925

Re: Upcoming Chrome SameSite policy change will break HTML Publisher plugin

Thanks Davide Pesavento - if the there's nothing particular sensitive about the calls being made, just wondering if you would be able to share a HAR file (see e.g. https://support.zendesk.com/hc/en-us/articles/204410413-Generating-a-HAR-file-for-troubleshooting for details if you aren't sure how) to record the requests & responses so I can get an idea about what is being passed when the 403 is returned etc. Also a copy of any errors in the browser console would be useful too. The Chrome changes relate to cookies and HTML Publisher itself doesn't really do anything special with cookies and so I'm just wanting to try and get more info so that I can work out if this is something in my realm to fix or if I'll have to kick it over to Jenkins Core developers.

Add Comment